[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/25821] New: Double free in readelf
From: |
nguyenmanhdung1710 at gmail dot com |
Subject: |
[Bug binutils/25821] New: Double free in readelf |
Date: |
Tue, 14 Apr 2020 23:57:25 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=25821
Bug ID: 25821
Summary: Double free in readelf
Product: binutils
Version: 2.35 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: nguyenmanhdung1710 at gmail dot com
Target Milestone: ---
Created attachment 12456
--> https://sourceware.org/bugzilla/attachment.cgi?id=12456&action=edit
PoC for a Double Free bug
Hi,
An double free was discovered in readelf (the latest commit f717994) in
process_symbol_table(), via a crafted file.
To reproduce: readelf -a PoC.
ASAN says:
==23637==ERROR: AddressSanitizer: attempting double-free on 0x60200000eef0 in
thread T0:
#0 0x7f6f6a79632a in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a)
#1 0x4423c3 in process_symbol_table ../../binutils/readelf.c:12201
#2 0x4619d2 in process_object ../../binutils/readelf.c:20124
#3 0x463527 in process_file ../../binutils/readelf.c:20602
#4 0x463941 in main ../../binutils/readelf.c:20671
#5 0x7f6f6a35482f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x402808 in _start (/home/dungnguyen/PoCs/readelf/readelf+0x402808)
0x60200000eef0 is located 0 bytes inside of 1-byte region
[0x60200000eef0,0x60200000eef1)
freed by thread T0 here:
#0 0x7f6f6a79632a in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a)
#1 0x438faa in get_num_dynamic_syms ../../binutils/readelf.c:9999
#2 0x43a19c in process_dynamic_section ../../binutils/readelf.c:10273
#3 0x46198f in process_object ../../binutils/readelf.c:20114
#4 0x463527 in process_file ../../binutils/readelf.c:20602
#5 0x463941 in main ../../binutils/readelf.c:20671
#6 0x7f6f6a35482f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7f6f6a796662 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
#1 0x4ddbca in xmalloc ../../libiberty/xmalloc.c:147
#2 0x49dab6 in cmalloc ../../binutils/dwarf.c:9898
#3 0x438a3e in get_dynamic_data ../../binutils/readelf.c:9923
#4 0x438f58 in get_num_dynamic_syms ../../binutils/readelf.c:9987
#5 0x43a19c in process_dynamic_section ../../binutils/readelf.c:10273
#6 0x46198f in process_object ../../binutils/readelf.c:20114
#7 0x463527 in process_file ../../binutils/readelf.c:20602
#8 0x463941 in main ../../binutils/readelf.c:20671
#9 0x7f6f6a35482f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Thanks,
Manh Dung
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/25821] New: Double free in readelf,
nguyenmanhdung1710 at gmail dot com <=